/ JavaScript

JavaScript RE 2: Simple JS Dropper (Nemucod)

Back in late 2015/early 2016, these .js files were the bane of my existence. These often times came bundled as attachments in Fedex or UPS phishes. Thankfully, we started blocking .js attachments and these sort of just went away one day.

The good thing about these things were they were good practice. (Although once you do a few of these, you will realize they're all pretty much the same.) They're simple .js files, so there's nothing to do beyond deobfuscating the JavaScript. Simple right? Let's get to it! I have tacos and margaritas waiting for me in an hour...

Here's the file so you can follow along:

MD5: b7c9e9d01dcb76da3b250d51f8ac5242

SHA256: d17bcc3493d88232994b5295d291a4a7cbd4f9341b4b1533fb35345092dcab89

Let's open this up really quick and see what we're working with.

.js file contents
Figure 1: That's a lot of adding and whatnot going on.

As always, this is pretty ugly looking, but at its core, it looks like it's really just a bunch of variables being added to each other. Near the bottom, you can see l54(l96). This is a pretty dead giveaway of what is going on. Before we discuss what exactly is going on, let's make this look a little prettier.

JS Beautified
Figure 2: Wow this screenshot is terrible, but just throw the code into JSBeautifier.

Okay, JSBeautifier makes it a little easier to see what is going on. The top portion of code declares a ton of variables. Then, the variables are all consolidated into l96 and l54. Finally, at the bottom, we notice l54(l96). This is going to be the eval() call that runs the code after it's built out in l54.

There are several ways we can attack this. One option would be to manually go through and add each variable together in l96. While this is definitely doable, I don't recommend it because frankly, that's a stupid way to do it. The next thing we could do is throw it into JSDetox. JSDetox actually does great with code like this, and with the click of a button, this will do everything for us. Finally, we could use our BESTEST FRIEND FOREVER AND EVER AND EVER AND EV.... Google Chrome. Let's approach it first with Chrome, as it's better to know how to do it yourself and not rely on tools such as JSDetox (because JSDetox fails all the time!). Then, I'll show you the lazy man's approach with JSDetox.

Google Chrome Method

Just like last time, we're going to paste our code into the console and see what we're working with. Now, one important note: I can tell you ahead of time this is not going to work. Why? Because these little .js files ALWAYS used WScript. So what's the problem? Well, WScript will only run on Windows. When you put WScript in Google Chrome, it has no idea what to do with it.

No WScript in Chrome!
Figure 3: Hey! None of that WScript garbage allowed in Chrome!

Uncaught ReferenceError: WScript is not defined. Yup, no WScript. No big deal though, we're not really interested in running the code, we just want to see what it does. Earlier we talked about l54 being the eval() function. Let's verify that quickly.

l54 is eval
Figure 4: Look, the eval() function!

Just as predicted, l54() is simply eval(). Okay, so we could just this line: l54(l96);, but it's not really necessary in this case. The information we want is already stored in l96. All we need to do is print it out to the console.

Code in l96
Figure 5: Impossible to see, but here's the code inside l96! We did it!

Hey, there's our readable code! Let's make this look a little nicer and take a look at what it does.

Nemucod Code
Figure 6: All your bases are belong to us because we encrypted them. ;)

Well, there you go. Clean, readable code. Nemucod is a pretty simple little downloader and is easy to understand, so I encourage you to read through it and see what it does.

JSDetox, for all you lazy people!

Okay, so now that we understand how to do this manually, let's take the lazy approach. (I mean, lazy is always best I guess, right?) Fire up JSDetox on your REMnux box, paste the code in and hit "execute".

JSDetox Executed!
Figure 7: Once again, JSDetox says none of that WScript garbage. Click on "Show Code" and we'll get our deobfuscated code!

Now, just simply click on "Show Code" and Voila! Happy Birthday! It's always nice to get the answer in 5 seconds.

JSDetox Deobfuscated Code
Figure 8: JSDetox is the winner this round! Answer in 5 seconds!

As I said, Nemucod is a pretty easy to understand dropper, so spend some time to figure out just how this thing works. You'll notice the encryption message in the code that I was joking about earlier. At the time I got this sample, Nemucod dropping ransomware. Pretty neat stuff!

As always, if you have any questions or comments, feel free to comment below. Now that we're getting fairly confident, let's tackle something a little more difficult in the third entry of this series!


Muzi is an Incident Responder at a large consulting firm. His current interests are network security, keyboards, tequila, and Korean culture. These interests are bound to change in the next hour.

Read More
JavaScript RE 2: Simple JS Dropper (Nemucod)
Share this